In 2009, when Susan Clements-Jeffrey purchased a used laptop from a student at the high school where she substitute taught, chances are she didn’t expect that the transaction would conclude with local police in her living room, laughing at her and calling her "stupid" while showing her explicit pictures of herself taken from her computer. Later, at the police station, according to court documents, the abuse continued, with the men now calling her disgusting while reading from her private instant message chats. The laptop, it turned out, had been stolen before she bought it, and it came equipped with a Remote Access Tool, or RAT.

RATs are software that allow a third party to spy on a computer user from afar, whether rifling through messages and browsing activity, photographing the computer screen, or in many cases hijacking the webcam and taking photographs of whomever is on the other side. RATs are widely used in a variety of contexts, some benign, others not. Across the board, abuse tends to be the rule.

It’s hard to know how many RATs are out there because of their covert nature. Recent reports confirm hundreds of thousands of computers infected in 2014 by only a single type of RAT, with the actual number of infections across years and technology far, far higher. School districts have used RATs to spy on students in their bedrooms; rent-to-own computer stores have secretly watched their customers. Online, at places like HackForums.net, individuals, often men, trade and sell access to strangers' computers, often women, gained via RAT. The jargon that ratters use underscores the power dynamic—ratted computers are called "slaves."

The problem, for the public, is that we know next to nothing about what is "lawfully authorized" law enforcement hacking.

There's a real threat of being watched and recorded where you live, and without your knowledge or consent. Anyone with or near a computer and its webcam is potentially at risk. While cautious browsing can make a difference when it comes to protecting yourself, for ratting victims, U.S. law, late as usual to the party, is lacking.

* * *

Despite repeated violations of privacy via webcam hacking, legal protections against RATs in the United States leave many behind. Theoretically available state-level protections vary widely from place to place, and federal law, as a privacy backstop, is inadequate.

There are counter-intuitive interpretations of aging electronic privacy statute passed before webcams were invented and a federal hacking law that offers a private individual the right to sue but imposes requirements on this right that exclude most victims of ratters. In the case of the government’s use of RATs against the public, the process is comically and characteristically opaque.

Simple changes to U.S. law and policy, though, can meaningfully improve the status quo and ensure that the public is protected. As one of the authors of a recent policy paper reviewing the legal, technological, and policy issues surrounding RATs, I've given a lot of thought to the problem and how we can fix it.

The federal government should clarify the definition of “interception” under Title I of the Electronic Communications Privacy Act (ECPA) and reconsider the damages requirement for private claims in the Computer Fraud and Abuse Act (CFAA) in light of the often non-economic nature of privacy harms. A victim’s suffering is often not financial but emotional.

On a constitutional and procedural level, we should require that law enforcement hacking include automatic transparency, ban government webcam hacking, and be exacting in applying the Fourth Amendment’s warrant requirements. Together, with political will and popular support behind them, change in these areas would empower the public to better respond to ratters—whether individuals or government agents—and improve the privacy of millions.

* * *

Electronic privacy law in the United States is guided by the overlap of the Federal Trade Commission, state law, criminal procedure, executive order, and federal statute. In the last category, few statutes have more potential than the ECPA. ECPA was passed in 1986 as an amendment to the federal Wiretap Act, and, among other things, generally forbids the interception of electronic communications without the consent of a party to that communication. It’s a rule that sounds fairly simple. But in applying the 28-year-old law—which Sen. Patrick Leahy noted in 2013 was "no longer suited" to contemporary threats—courts have turned to a technologically unwieldy metaphor of "flight" to determine which interceptions occur “contemporaneously” with a message’s transmission and thus are covered by the statute. This definitional jig has meant webcam hacking victims are uncovered, with courts reluctant to take the sensible step of including webcam RAT spying under the act’s auspices.

A leading case illustrating the problems with the “in-flight” ECPA approach is Byrd v. Aaron's, Inc., et al., still-pending federal litigation over RAT spying conducted by rent-to-own computer stores franchised by Aaron’s, Inc. At issue are privacy harms suffered by Colorado residents Crystal and Brian Byrd at the hands of a RAT called PC Rental Agent.

In 2010, the Byrds purchased a computer from Colorado Aaron’s, Inc. rent-to-own franchise Aspen Way. According to the suit, the store installed a brand-name RAT on the couple’s computer without telling them. Employees then used the software to take webcam photographs, log messages, and capture screenshots, wrongly thinking the couple was behind on payments. An Aspen Way employee came into the Byrd’s house, alleging delinquency, and, at his door, showed Brian a webcam photo of himself playing poker. The intrusion, he told the Associated Press in 2011, “[felt] like being invaded, like somebody else was in our house."

The Byrds sued a number of parties associated with the incident, including the store and the manufacturer of the trojan. Though ECPA, as the bedrock of U.S. electronic privacy legislation, would seem to apply naturally to the RAT-enabled capture of webcam photographs, keystrokes, and screenshots, a district court judge in their case adopted a pre-trial finding that the photographs were not "intercepted" for the purposes of the statute. The same judge expressed skepticism that the messages and screenshots could have been “intercepted,” either, but still allowed debate of the issue in the case.

The litigation is still underway, but for now, the court's unwillingness to treat webcam snooping as protected under ECPA is a troubling but easily correctable deficiency in the law. Courts, or the legislature, should abandon or retool the "in-flight" metaphor and understand snatched webcam photos as interceptions for the purposes of the statute. (A related suit alleging RAT-enabled interception of privileged and confidential attorney work product is unfolding in Georgia.)

* * *

Another law integral to electronic privacy is the Computer Fraud and Abuse Act (CFAA), and, like ECPA, RATs were not considered when it was written. The CFAA was initially passed, as the story goes, in 1983 when Ronald Reagan saw the hacking film War Games and got freaked out about computer viruses. The law has been updated since, and remains primarily concerned with "unauthorized access" to computers.

Of particular importance here is Section 1030(g), the act’s private right of action. Though the CFAA is foremost a criminal statute, meaning that prosecutors would have the power to decide when it is used, 1030(g) allows a private party to sue in a civil rather than a criminal proceeding, one that might conceivably offer refuge to victims of ratters. But civil suits aren’t a straightforward course of action for victims either.

As it currently stands, a ratting plaintiff must show damages of over $5,000 to be able to use the act's civil provisions. But even great privacy harms do not necessarily translate to dollars—what is the price of having your sex life mocked by strangers in your living room? Of having your home invaded virtually?—so the act ends up unable to protect many who might need it. Amending the CFAA’s damages requirement to take into account the type of harms suffered by ratting victims would offer more people the ability to gain relief under the act’s provisions.

Ratting also raises constitutional and judicial process concerns, relating both to public access to democracy and to the strict warrant requirements regarding searches by the government of private individuals. In this arena, multiple aspects of the legal system are implicated, the CFAA among them.

It would be impossible to ensure that even arguably appropriate uses of surveillance malware would not equal inappropriate and unlawful access.

With law enforcement and intelligence agency hacking on the rise, another section of the CFAA takes on greater importance for victims of ratting. The act contains something of a get-out-of-jail-free provision that shields law enforcement from its reaches. Section 1030(f) explicitly approves of "lawfully authorized investigative, protective, or intelligence activity of a law enforcement [or intelligence] agency of the United States."

The problem, for the public, is that we know next to nothing about what is "lawfully authorized" law enforcement hacking. Agencies keep secret the details of their hacking operations, fighting public efforts to understand their operations. They rely on euphemism and institutional gravity in lieu of transparency when advocating their position, a phenomenon on display in DOJ efforts to loosen RAT spying warrant requirements.

Remotely activating a computer’s webcam means potentially invading the privacy of all those unlucky enough to be in front of the lens, which makes the practice of government ratting constitutionally fraught. The Fourth Amendment requires that spying warrants only be limited closely to a specific, stated target. But because webcams don’t care about warrant orders, it is difficult to foresee a situation where law enforcement could meaningfully ensure its operation would "'effectuate only the purposes for which the order is issued.'" In other words, it would be impossible to ensure that even arguably appropriate uses of surveillance malware would not equal inappropriate and unlawful access as well.

On a strictly practical level, it is debatable that the FBI would ever need to activate a computer's webcam when less invasive means of surveillance like GPS tracking are available. It’s also difficult to be comfortable authorizing more methods of potential constitutional violations to an agency whose history is riddled with them.

Ratting is a practice that is not limited to a branch of government, area of society, or political party—and unless laws are changed, many will continue to be at their mercy.

About the Author

Most Popular

About 10 years ago, after I’d graduated college but when I was still waitressing full-time, I attended an empowerment seminar. It was the kind of nebulous weekend-long event sold as helping people discover their dreams and unburden themselves from past trauma through honesty exercises and the encouragement to “be present.” But there was one moment I’ve never forgotten. The group leader, a man in his 40s, asked anyone in the room of 200 or so people who’d been sexually or physically abused to raise their hands. Six or seven hands tentatively went up. The leader instructed us to close our eyes, and asked the question again. Then he told us to open our eyes. Almost every hand in the room was raised.

And there could be far-reaching consequences for the national economy too.

Four floors above a dull cinder-block lobby in a nondescript building at the Ohio State University, the doors of a slow-moving elevator open on an unexpectedly futuristic 10,000-square-foot laboratory bristling with technology. It’s a reveal reminiscent of a James Bond movie. In fact, the researchers who run this year-old, $750,000 lab at OSU’s Spine Research Institute resort often to Hollywood comparisons.

Thin beams of blue light shoot from 36 of the same kind of infrared motion cameras used to create lifelike characters for films like Avatar. In this case, the researchers are studying the movements of a volunteer fitted with sensors that track his skeleton and muscles as he bends and lifts. Among other things, they say, their work could lead to the kind of robotic exoskeletons imagined in the movie Aliens.

Four decades ago Jimmy Carter was sworn in as the 39th president of the U.S., the original Star Wars movie was released in theaters, and much more.

Four decades ago Jimmy Carter was sworn in as the 39th president of the United States, the original Star Wars movie was released in theaters, the Trans-Alaska pipeline pumped its first barrels of oil, New York City suffered a massive blackout, Radio Shack introduced its new TRS-80 Micro Computer, Grace Jones was a disco queen, the Brazilian soccer star Pele played his “sayonara” game in Japan, and much more. Take a step into a visual time capsule now, for a brief look at the year 1977.

In the media world, as in so many other realms, there is a sharp discontinuity in the timeline: before the 2016 election, and after.

Things we thought we understood—narratives, data, software, news events—have had to be reinterpreted in light of Donald Trump’s surprising win as well as the continuing questions about the role that misinformation and disinformation played in his election.

Tech journalists covering Facebook had a duty to cover what was happening before, during, and after the election. Reporters tried to see past their often liberal political orientations and the unprecedented actions of Donald Trump to see how 2016 was playing out on the internet. Every component of the chaotic digital campaign has been reported on, here at The Atlantic, and elsewhere: Facebook’s enormous distribution power for political information, rapacious partisanship reinforced by distinct media information spheres, the increasing scourge of “viral” hoaxes and other kinds of misinformation that could propagate through those networks, and the Russian information ops agency.

More comfortable online than out partying, post-Millennials are safer, physically, than adolescents have ever been. But they’re on the brink of a mental-health crisis.

One day last summer, around noon, I called Athena, a 13-year-old who lives in Houston, Texas. She answered her phone—she’s had an iPhone since she was 11—sounding as if she’d just woken up. We chatted about her favorite songs and TV shows, and I asked her what she likes to do with her friends. “We go to the mall,” she said. “Do your parents drop you off?,” I asked, recalling my own middle-school days, in the 1980s, when I’d enjoy a few parent-free hours shopping with my friends. “No—I go with my family,” she replied. “We’ll go with my mom and brothers and walk a little behind them. I just have to tell my mom where we’re going. I have to check in every hour or every 30 minutes.”

Those mall trips are infrequent—about once a month. More often, Athena and her friends spend time together on their phones, unchaperoned. Unlike the teens of my generation, who might have spent an evening tying up the family landline with gossip, they talk on Snapchat, the smartphone app that allows users to send pictures and videos that quickly disappear. They make sure to keep up their Snapstreaks, which show how many days in a row they have Snapchatted with each other. Sometimes they save screenshots of particularly ridiculous pictures of friends. “It’s good blackmail,” Athena said. (Because she’s a minor, I’m not using her real name.) She told me she’d spent most of the summer hanging out alone in her room with her phone. That’s just the way her generation is, she said. “We didn’t have a choice to know any life without iPads or iPhones. I think we like our phones more than we like actual people.”

The foundation of Donald Trump’s presidency is the negation of Barack Obama’s legacy.

It is insufficient to statethe obvious of Donald Trump: that he is a white man who would not be president were it not for this fact. With one immediate exception, Trump’s predecessors made their way to high office through the passive power of whiteness—that bloody heirloom which cannot ensure mastery of all events but can conjure a tailwind for most of them. Land theft and human plunder cleared the grounds for Trump’s forefathers and barred others from it. Once upon the field, these men became soldiers, statesmen, and scholars; held court in Paris; presided at Princeton; advanced into the Wilderness and then into the White House. Their individual triumphs made this exclusive party seem above America’s founding sins, and it was forgotten that the former was in fact bound to the latter, that all their victories had transpired on cleared grounds. No such elegant detachment can be attributed to Donald Trump—a president who, more than any other, has made the awful inheritance explicit.

How a seemingly innocuous phrase became a metonym for the skewed sexual politics of show business

The chorus of condemnation against Harvey Weinstein, as dozens of women have come forward to accuse the producer of serial sexual assault and harassment, has often turned on a quaint-sounding show-business cliché: the “casting couch.” Glenn Close, for instance, expressed her anger that “the ‘casting couch’ phenomenon, so to speak, is still a reality in our business and in the world.”

The casting couch—where, as the story goes, aspiring actresses had to trade sexual favors in order to win roles—has been a familiar image in Hollywood since the advent of the studio system in the 1920s and ’30s. Over time, the phrase has become emblematic of the way that sexual aggression has been normalized in an industry dominated by powerful men.

A driver, a transportation official, and a transit advocate explain why Seattle recently saw one of the biggest citywide increases in passenger numbers.

Almost every major U.S. city has seen years of decline in bus ridership, but Seattle has been the exception in recent years. Between 2010 and 2014, Seattle experienced the biggest jump of any major U.S. city. At its peak in 2015, around 78,000 people, or about one in five Seattle workers, rode the bus to work.

That trend has cooled slightly since then, but Seattle continues to see increased overall transit ridership, bucking the national trend of decline. In 2016, Seattle saw transit ridership increase by 4.1 percent—only Houston and Milwaukee saw even half that increase in the same year.

Bus service is crucial to reducing emissions in the Seattle region. According to King County Metro, which serves the region, nearly half of all greenhouse gas emissions in Washington state come from transportation and its operation displaces roughly four times as many emissions as it generates, by taking cars off the road and reducing traffic congestion. The public transit authority has been recognized for its commitment to sustainability and its bus fleet is projected to be 100 percent hybrid or electric by 2018.

The president managed to cause a brief firestorm by falsely accusing predecessors of neglecting slain soldiers, but real answers about why four men were killed are still elusive.

On October 4, four American Special Forces soldiers were killed during an operation in Niger. Since then, the White House has been notably tight-lipped about the incident. During a press conference Monday afternoon, 12 days after the deaths, President Trump finally made his first public comments, but the remarks—in which he admitted he had not yet spoken with the families and briefly attacked Barack Obama—did little to clarify what happened or why the soldiers were in Niger.

Trump spoke at the White House after a meeting with Senate Majority Leader Mitch McConnell, and was asked why he hadn’t spoken about deaths of Sergeant La David Johnson and Staff Sergeants Bryan Black, Dustin Wright, and Jeremiah Johnson.

For the first time, astronomers have detected visible light and gravitational waves from the same source, ushering in a new era in our attempt to understand the cosmos.

In September of 2015, astronomers detected, for the first time, gravitational waves, cosmic ripples that distort the very fabric of space and time. They came from a violent merger of two black holes somewhere in the universe, more than a billion light-years away from Earth. Astronomers observed the phenomenon again in December, and then again in November 2016, and then again in August of this year. The discoveries confirmed a century-old prediction by Albert Einstein, earned a Nobel prize, and ushered in a new field of astronomy.

But while astronomers could observe the effects of the waves in the sensitive instruments built to detect them, they couldn’t see the source. Black holes, as their name suggests, don’t emit any light. To directly observe the origin of gravitational waves, astronomers needed a different kind of collision to send the ripples Earth’s way. This summer, they finally got it.